When your client’s end users report a real phishing attack in their inboxes, it could be a one-off situation. But it could also be the first sign that several members of their team have been subjected to attacks, but not everyone has reported the message.
Catching an attack early is key to mitigating the outbreak, stopping the attack or reducing the impact. While the average time to detection for ransomware is 11 days, the earlier you can catch a breach, the more time you’ll have to stop it or reduce the impact.
Having a process in place for your team (alongside your client) to investigate these attacks can help catch an attack in progress or stop one from starting. These investigation steps are a baseline that your MSP can use to begin building your phishing incident response process. You may decide to expand on these steps for individual clients, add specific questions or include alternate strategies.
1. Scope the attack. If you are notified that a potential phishing attack is underway, either by a user, customer, or partner:
Determine the total number of impacted users
Tally reported attacks
Communicate with the team to determine where else the message was sent
Determine which users took actions in response to the phishing email (did they download the attachment, visit the spoofed site or give out any personal or business information such as credentials?)
Find any potentially related activity.
Suspicious social media posts, messages, etc.
Other potentially suspicious emails
Additional emails with links to external and unknown URLs
Non-returnable or non-deliverable emails
Any notifications of suspicious activity
2. Analyze the message using a known clean device
Do not open phishing messages on a device with access to sensitive data or credentials as the message may contain malware. In this step you’ll need to determine:
Who was targeted by the message.
This may be different from the "successful" recipients. Check who the message was sent to for misspelled alternate email addresses or names in greetings.
Email address of the sender
Subject line
Message body
Attachments (do not open attachments except according to your team’s pre-established procedures)
Links, domains, and hostnames included in the message (do not follow links except according to your team’s pre-established procedures)
The email metadata, including message headers
Sender information from the 'from' field and the cross-authenticated user header
All client and mail server IP addresses
Note any "quirks" or suspicious features of the email
3. Analyze links and attachments
Use passive collection such as nslookup and whois to find IP addresses and registration information
Find related domains using OSINT (e.g., reverse whois) on email addresses and other registration data
Submit links, attachments, and/or hashes to VirusTotal
Submit links, attachments, and/or hashes to a malware sandbox such as Cuckoo, Hybrid Analysis, Joe Sandbox, or VMray.
4. Categorize the type of attack that has been received (BEC, spear phishing, etc.)
5. Determine the severity of the attack by considering:
Whether public or personal safety is at risk
Whether personal data (or other sensitive data) is at risk
Any evidence of who is behind the attack
Number of affected assets
Preliminary business impact
Whether services are affected
Whether you are able to control/record critical system
Once you’ve completed these steps, move to the remediation stage of the phishing incident response process.
Building a comprehensive Phishing Incident Response plan with your clients can save both you and your client valuable time. Download the Phishing Incident Response workbook, to create each of your client’s unique phishing incident response plan.
We’ll guide you through the four stages of phishing incident response: investigation, recovery, communication and remediation and provide helpful resources that give you the information you and your clients need to respond to a phishing incident.
Learn more about HacWare: MSP partners can decrease the likelihood their end users will click on a phishing email by 60%. Let us help you empower your client's end users with automated, AI-driven phishing simulations and under three-minute micro-trainings to build them into your client's first line of defense against cyber attacks.
Learn more about our partner program and how we can support your MSP's growth!